The Biden administration is undertaking a “whole of government response” to investigate and respond to the cyberattacks against Microsoft’s Exchange Server, which the Big Tech company assessed are being carried out by a sophisticated Chinese state-backed hacker group.
Microsoft announced it detected “multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks” last week and said its Threat Intelligence Center attributed the cyber campaign with “high confidence” to a hacker group dubbed “Hafnium.” Microsoft said the hacker group was “state-sponsored” and operating out of China.
Over the weekend, the FBI said it is “aware of Microsoft’s emergency patch for previously unknown vulnerabilities in Exchange Server software, attributed to the advanced persistent threat actor known by Microsoft as Hafnium.” The bureau declined to comment when asked if this meant the FBI was also assessing if this was a Chinese operation.
“We are undertaking a whole of government response to assess and address the impact,” a White House official told the Washington Examiner. “The Cybersecurity and Infrastructure Security Agency has issued an emergency directive to agencies. High levels of the National Security Council are working to address the incident, working with our public and private partners, and looking closely at the next steps we need to take. We will keep you updated. This is an active threat still developing, and we urge network operators to take it very seriously.”
The FBI said it is “working closely with our interagency and private sector partners to understand the scope of the threat.”
The White House official said the Biden administration is “aware of the public reporting that these actors are stepping up their efforts” and that “this is often the case after a public disclosure as the attackers know they’ve been spotted and go into overdrive to compromise as many victims as possible before they patch their systems.” The official urged organizations to move quickly to patch their servers.
Last week, Microsoft said the Chinese hackers used Microsoft vulnerabilities to access email accounts and install additional malware “to facilitate long-term access to victim environments.” The company said Hafnium “primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs” and that it “operates primarily from leased virtual private servers in the United States.”
The Microsoft Exchange Server handles the company’s email, calendar, scheduling, contact, and collaboration services. The NSC warned that “patching and mitigation is not remediation if the servers have already been compromised” and said, “It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.”
The Cybersecurity and Infrastructure Security Agency said it “is aware of widespread domestic and international exploitation of these vulnerabilities” and “strongly recommends” organizations run a security script “as soon as possible.” Pentagon spokesman John Kirby said on Friday that they were “taking all necessary threats to identify and remedy any possible issues related to the situation.”
Cybersecurity expert Brian Krebs first reported, “At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities, and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber-espionage unit that’s focused on stealing email from victim organizations.” Numerous other outlets soon cited sources claiming that tens of thousands of customers were likely affected.
Cybersecurity Huntress blog contended that “the webshell that these threat actors are using is known as the ‘China Chopper’ one-liner.” Another cybersecurity firm, FireEye, said that in a separate environment, it had seen the vulnerable Microsoft Exchange Server exploited by a threat actor that matched the China Chopper, which it says has “growing prevalence, especially among Chinese cybercriminals.”
White House press secretary Jen Psaki said on Friday that “this is a significant vulnerability that could have far-reaching impacts” and “this is an active threat.” She added that “we are concerned that there are a large number of victims and are working with our partners to understand the scope of this.”
Last week, Microsoft executive Tom Burt called the Chinese hacker group “a highly skilled and sophisticated actor” that “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.”
He stressed that “the exploits we’re discussing today were in no way connected to the separate SolarWinds-related attacks.”
The Chinese Foreign Ministry rejected Microsoft’s claim that China was involved in the newly discovered cyberattacks, just as Russia has denied culpability for the SolarWinds hack.
View original Post